Index
A
access control. See also Dynamic Access Control; See also File Server Resource Manager (FSRM)
access control lists (ACLs) 114, 179, 206
access-denied assistance 306
access-denied remediation 306–308
activation requests 148
Active Directory (AD)
architecture
clean source principles in 135–138
Active Directory (AD) administrative tiers 133–134
Active Directory Certificate Services (AD CS) 15
Active Directory Domain Services (AD DS)
recovery password retrieval from 12–13
Add-HgsKeyProtectionCertificate cmdlet 67
Address Space Layout Randomization (ASLR) 35
administrative architecture
administrative credentials 40
administrative forests 131–138
AD administrative tiers 133–134
administrative privileges 134–135
Administrator account
changing name of 183
administrator groups 290
administrator logons
admin-trusted attestation 63–67
Advanced Audit Policy Configuration folder 193–198
Advanced Threat Analytics (ATA) 213–229
architecture 217
ATA Center 215, 220–221, 224–226
deployment requirements 215–219
event forwarding 220
installation and configuration 220–224
compromised credentials 214–215
domain dominance 214
lateral movement 214
privilege escalation 214
reconnaissance 213
AES-128 algorithm 7
AES-256 algorithm 7
alerts
syslog 226
Allow BitLocker Without A Compatible TPM setting 6
antimalware assessment 236–237
Application Identity service (AppIDSvc) 32
application-specific firewall rules 105–107
AppLocker
policies
rules
ATA. See Advanced Threat Analytics
ATA Gateways 216–218, 220, 222–224
ATA Lightweight Gateways 216–218, 224
Audit Account Logon Events 193
Audit Account Management 193
Audit Credential Validation Properties 199
Audit Directory Service Access 193
Audit File System setting 305
Audit Group Membership policy 209
Auditing Entry dialog box 201–202, 207
auditing entry expression 306
Audit Logon Events 193
Audit Object Access 193
Audit PNP Activity policy 208
audit policies 240
Audit Group Membership policy 209
configuration of advanced 189–212
local 191
operating system versions 197
PNP activity policy 208
priorities 197
using Windows PowerShell 206–207
Audit Policy Change 193
Audit Privilege Use 193
Audit Process Tracking 193
Audit System Events 193
authenticated firewalls 107–108
authentication
multifactor 134
selective 134
Authentication Header (AH) 100
Automatic Updates
Azure Operational Insight 230
Azure Resource Manager (ARM) 109–110
Azure Stack 113
B
Background Intelligent Transfer Service (BITS) 25
Basic Input Output System (BIOS) 2
bastion forests
requesting privileged access to 145
trusts between production and 140–143
BDE. See BitLocker Drive Encryption
binary options 118
BIOS. See Basic Input Output System
BitLocker Drive Encryption (BDE) 1
enabling to use Secure Boot 4
installation 5
on CSVs 9
on Hyper-V virtual machines 9
on SANs 9
BITS. See Background Intelligent Transfer Service (BITS)
blacklisting 31
Boot Configuration Database (BCD) 4
C
CAPs. See central access policies
CARs. See central access rules
central access policies (CAPs) 294–295
creating 301
central access rules (CARs) 293, 298–300
CFG. See Control Flow Guard
CIA rule of information security 100
CIFS. See Common Internet File System (CIFS) protocol
CIM. See Common Information Module
classification properties 284–286
clean source principles 135–138, 167
for administrative architecture 137–138
for installation media 136–137
for system hardware 136
transitive dependencies 136
cloud-based services 246
cluster dialect fencing 117
Cluster Rolling Upgrade (CRU) 117
cluster shared volumes (CSVs)
BitLocker on 9
code integrity policies 38–39, 66
Common Information Model (CIM) 44
Common Internet File System (CIFS) protocol 115
compatibility support module (CSM) 3
Compute Resource Provider (CRP) 110
ConfigCI PowerShell module 37
connection security rules 100–105
configuring IPSec defaults 105
defining
in Windows PowerShell 104
containers
portability of 264
Control Flow Guard (CFG) 35–36
Create Claim Type dialog box 295
Isolated User Mode 81
system requirements 42
verifying operation of 44
via command prompt 45
weaknesses 45
compromised credentials 214–215
derived credentials 42
CRU. See Cluster Rolling Upgrade
CSM. See compatibility support module
D
DAC. See Dynamic Access Control
data
Datacenter Firewall. See also Distributed Firewall
access control lists 114
Data Execution Prevention (DEP) 35
data recovery agents (DRAs) 15–16
DEP. See Data Execution Prevention
deployment
BitLocker Drive Encryption 4–9
derived credentials 42
Desired State Configuration (DSC) 46, 156, 164–165, 260–263
configuration scripts
compiling 262
device claims 293
Device Guard
code integrity policy rule creation 38–39
components 37
deployment workflow 40
system requirements 37
TPM-trusted attestation and 66
Direct Memory Access (DMA) attacks 37
Direct Memory Access (DMA) protection 43
with software-defined networking 109–112
Distributed Management Task Force (DMTF) 44
DNS connections
DNSSEC. See Domain Name System Security Extensions
Dockerd.exe 265
Docker.exe 265
domain controllers
attacks on 215
install and configure ATA Lightweight Gateways on 224
Domain location profile 98
DomainName parameter 250
Domain Name System (DNS) 119
intelligent DNS responses 123–124
split-brain 122
Domain Name System Security Extensions (DNSSEC) 119–121
domains
domain security groups 290
DRAs. See data recovery agents
DSC. See Desired State Configuration
Dynamic Access Control (DAC) 207, 267, 293–307
access-denied remediation 306–308
central access policies 301–303
policy changes and staging 304–305
resource property lists 297–298
Dynamic Host Configuration Protocol (DHCP) 253
E
EFS. See Encrypting File System
EnableBitLocker cmdlet 8
Encapsulating Security Payload (ESP) 100
Encrypting File System (EFS) 15–16
BitLocker Drive Encryption 4–9
hardware and firmware requirements for 2–4
RMS 282
shielded VMs 83
SMB 117
encryption-supported VMs 83–84
endpoints, JEA 153
configuring on server, using DSC 164–165
connecting to 161
creating 160
Enhanced Administrative Security Environment (ESAE) 131–138
Active Directory (AD) administrative tiers 133–134
clean source principles 135–138
forest design architecture
usage scenarios 132
Enhanced Mitigation Experience Toolkit (EMET) 35
Enter-PSSession cmdlet 153, 160, 161
ESAE. See Enhanced Security Administration Environment
event forwarding 220
event ID 4776 220
eventvwr.msc command 34
expression-based audit policies 207–208
F
fabric 60
fabric administrators 60, 63, 76
failover clusters 83
Federal Information Processing Standard (FIPS) 8
File Classification Infrastructure (FCI) 283–288
classification properties 284–286
File Expiration 281
file/folder virtualization 41
File Management Tasks folder 280–283
file ownership 269
file screens
File Server Resource Manager (FSRM) 267
access-denied remediation 306–308
File Classification Infrastructure 283–288
File Management Tasks folder 280–283
file screen configuration 276–278
resource property lists 297–298
file services infrastructure security 267–306
file sharing 267
firewall.cpl 90
firewalls 89. See also Windows Firewall
software-defined Distributed Firewall 109–115
forests
bastion
ESAE administrative forest design approach 131–138
safe harbor 61
fully qualified domain name (FQDN) 67
G
gateways
Get-AdmPwdPassword cmdlet 182
GetNetFirewallRule cmdlet 97
Get-PAMRoleForRequest cmdlet 148
GetPAMRoleForRequest cmdlet 151
GetVMSecurity command 72
Global Object Access Auditing 194–195
global security groups 65
Group Policy
audit policies 191, 197, 198–202, 240
configuring SMB signing using 119
configuring user rights assignment using 169–173
defining connection security rule in 101–102
LAPS installation using 180–181
LAPS settings 181
network location profiles using 98–99
Password Settings policy 183–184
Remote Credential Guard activation using 176
Security Options setting in 173–174
Windows Firewall configuration using 98–99
group policy objects (GPOs) 169–172
attestation configuration 63–67
guarded host configuration 67–68
workflow 63
guarded hosts 61
migrating shielded VMs to 68–72
provisioning shielded VMs on 80
H
hardware
clean source for 136
hardware security module (HSM) 67
HGS. See Host Guardian Service
Host Guardian Service (HGS)
attestation configuration 63–67
clients 61
guarded host configuration 67–68
Key Protection Service configuration 66–67
migrating shielded VMs to guarded hosts 68–72
HSM. See hardware security module
Hyper-V. See also virtual machines
BitLocker on 9
creating shielded VMs using
Device Guard and 37
Nano Server and 247
network virtualization 114–115
I
IIS Hostable Web Core feature 290
infrastructure-as-a-service (IaaS) 110
Input/Output Memory Management Units (IOMMUs) 37
installation media
Install-WindowsFeature cmdlet 268
Internet Engineering Task Force (IETF) 119
Internet Information Services (IIS) 290
Internet Protocol Security (IPSec)
connection security rule types 100–101
default configuration 105
network overhead and 100
server security and 100
intrusion detection 135
intrusion prevention 135
InvokeGPUpdate cmdlet 13
IP addresses
configuration, for Nano Server 253–256
IPSec. See Internet Protocol Security
IP Security Monitor 102
IP Security Policy Management 102
IP Security Policy Wizard 102–103
IsHostGuarded property 73
Isolated User Mode (IUM) 80–81
J
JEA. See just-enough-administration
JEA endpoints 165
JEA toolkit 165
JIT. See just-in-time (JIT) administration
just-enough-administration (JEA) 151–165
Desired State Configuration and 164–165
enabling on Windows Server 2016 152–154
session configuration files 154–156
session stages 153
WMF 5.0 and 163
Just Enough Administration (JEA) 76
just-in-time (JIT) administration 138–151
Privileged Access Management 145–147
trusts between production and bastion forests 140–143
using time-based policies 148–151
K
Kerberos Golden Ticket 215
key protection 61
Key Protection Service (KPS)
key protectors 82
L
LAPS. See Local Administrator Password Solution
lateral movement 214
least privilege principle. See principle of least privilege
Link Azure Subscription page 235–236
Local Administrator Password Solution (LAPS) 177–184
managing password parameters and passwords using 183–184
securing local administrator passwords with 181–183
Local Configuration Manager (LCM) 261
LocalGPO.wsf 54
Local Security Authority (LSA) 37, 41–42, 175
Local Security Authority Subsystem Service (LSASS) 40–41
logging
LSA. See Local Security Authority
M
antimalware assessment 236–237
Management Object Format (MOF) files 262
MBAM. See Microsoft BitLocker Administration and Monitoring
MDOP. See Microsoft Desktop Optimization Pack
Microsoft Advanced Threat Analytics. See Advanced Threat Analytics
Microsoft Azure
software-defined networking and 109–110
Virtual Filtering Platform (VFP) 115
Microsoft BitLocker Administration and Monitoring (MBAM) 14–15
Microsoft Desktop Optimization Pack (MDOP) 14
Microsoft Identity Manager (MIM)
creating bastion forest using 139–140
policies 147
requesting privileged access using 145
web portal configuration 144–145
Microsoft Intune 37
Microsoft Management Console (MMC) 15, 267
Microsoft Message Analyzer (MMA) 115, 124–126
Microsoft Monitoring Agent (MMA) 230
Microsoft Protection Service (MPSSVC) policies 194
Microsoft Security Essentials (MSE) 30
Mimikatz 41
MMC. See Microsoft Management Console
MSE. See Microsoft Security Essentials
msMcsAdmPwd 178
msMcsAdmPwdExpirationTime 178
multifactor authentication 134
multi-tenancy 113
N
Name Resolution Policy Table (NRPT) 121–122
namespace isolation 263
connecting to, using PowerShell 258–260
Desired State Configuration 260–263
firewall rules configuration 256–258
implementing security policies on 260–263
IP address configuration 253–256
virtual machine creation 251–252
Windows Remote Management configuration 258
Nano Server Recovery Console 253–257
nested virtualization 75
netdom 64
netsh 98
netsh advfirewall firewall 90
Network Controller server role 109, 110–112
secure network traffic 115–126
software-defined Distributed Firewall 109–115
networking
Network Location Awareness (NlaSvc) 98
network location profiles 98–99
Network Monitor (Netmon) 124
network performance
SMB signing and 119
Network Resource Provider (NRP) 110
Network Security Group (NSG) 110, 114
network security groups 112–114
network traffic security 115–126
network virtualization 114–115
New-NanoServerImage cmdlet 247–251, 254, 261
New-PAMGroup cmdlet 143
New-PAMRole cmdlet 148, 149–150
New-PAMTrust cmdlet 141
New-PAMUser cmdlet 143
NewPSSession cmdlet 258
New-PSSessionConfigurationFile cmdlet 154, 159
New Virtual Machine Wizard 251
New-VM PowerShell cmdlet 252
NT LAN Manager (NTLM)
NTLM hashes 214
O
OMS. See Operations Management Suite
Open Systems Interconnection (OSI) reference model 92
operating systems
audit policies and 198
Operations Management Suite (OMS) 230–242
antimalware assessment 236–237
security and audit solution 238–239
system update assessment 237–238
Organization Unit (OUs) 191
Organization Units (OUs) 169
original equipment manufacturer (OEM) 2
over-the-shoulder transcription 161–163
P
PAM. See Privileged Access Management
Pass-the-Hash attacks 214, 220
Pass-the-Ticket attacks 214
passwords
securing local administrator 181–183
settings configuration 183–184
Password Settings policy 183–184
PAWs. See Privileged Access Workstations
Plug and Play (PNP) activity policy 208
Port Mirrored Domain Controllers 223
pre-authentication integrity 116
principle of least privilege 1, 31, 40
Private location profile 98
Privileged Access Management (PAM) 138, 139
hardware and software requirements 146–147
high availability with 147
requirements and usage scenarios for 145–147
access management 150
using Windows PowerShell 150–151
Privileged Access Workstations (PAWs) 165–169
Enhanced Administrative Security Environment 131–138
just-enough-administration and 151–165
just-in-time (JIT) administration and 138–151
Local Administrator Password Solution 177
Privileged Access Workstations 165–169
user rights assignment 169–176
privilege escalation 214
production forests 132, 133–134, 139
trusts between bastion and 140–143
protectors
BitLocker 5
public key infrastructure (PKI) 15, 64, 120
Public location profile 98
Q
quotas
hard 269
soft 269
R
reconnaissance 213
recovery
Register-PSSessionConfiguration cmdlet 160
Remote Credential Guard 175–176
Remote Desktop 167
Remote Desktop Protocol (RDP) 63
reports
Representational State Transfer (REST) 67, 113
Require Additional Authentication At Startup 5
Resolve-DnsName cmdlet 121
Resolve-DnsName PowerShell cmdlet 141
resource governance 263
resource properties 293, 295–296
resource property lists 297–298
resources trust accounts 61
REST. See Representational State Transfer (REST)
RMS encryption 282
role-based access control 152
RoleCapabilities subfolder 157
role capability files 153, 156–160
S
safe harbor forests 61
SCEP. See System Center Endpoint Protection
SCM. See Security Compliance Manager (SCM)
Second-Level Address Translation (SLAT) 37
Secure Boot 3, 4, 9, 134, 136, 167
with Credential Guard 43
Secure Hypertext Transfer Protocol (HTTPS) 230
Secure Sockets Layer (SSL) 290
security
deployment of custom 53
connection security rules 100–105
physical 3
Virtualization-Based Security 37, 41–42, 75–76
Security and Audit solution 238–239
Security Compliance Manager (SCM) 46–54
creating and importing security baselines 50–53
deploymen of custom security baselines 53
LocalGPO.wsf 54
security dependencies 136
Security Descriptor Definition Language (SDDL) 108
security identifiers (SIDs) 65, 108, 143, 184
security logs 191
selective authentication 134
self-signed certificates 15, 82
Server Core 246
Server Message Block (SMB) protocol 115–124
cluster dialect fencing 117
encryption 117
encryption on SMB shares 117–118
pre-authentication integrity 116
scenarios and implementations 115–117
server patching and updating 16–26, 135
server storage 268
session configuration 153
session configuration files 153, 154–156, 161
Set-Acl cmdlet 206
Set-AdmPwdComputerSelfPermission cmdlet 179
Set-AdmPwdReadPasswordPermission cmdlet 182
Set-AdmPwdResetPasswordPermission cmdlet 180
Set-HgsKeyProtectionCertificate cmdlet 67
BitLocker Drive Encryption and 70–71, 83
encryption 83
migrating to other guarded hosts 68–72
provisioning on guarded host 80
requirements and scenarios for 75–76
vs. encryption-supported 83
workload administrator access 76
Shielding Data File Wizard 80
ShowControlPanelItem -Name ‘Windows Firewall’ 90
SIDs. See security identifiers
Simple Mail Transfer Protocol (SMTP) 273
SLAT. See Second-Level Address Translation
SMB. See Server Message Block (SMB) protocol
software-defined networking (SDN) 109
Distributed Firewall and 109–112
split-brain DNS 122
standard user privileges 40
Start-DscConfiguration cmdlet 263
Start-DSCConfiguration cmdlet 164
Start-Transcript cmdlet 161, 212
stateful packet inspection (SPI) 105
stock-keeping units (SKUs) 37
Stop-Transcript cmdlet 212
storage area networks (SANs)
BitLocker on 9
storage reports
Storage Resource Provider (SRP) 110
storage space 268
suspicious activity
reviewing, on ATA Timeline page 227–229
syslog alerts 226
syslog server settings 226
system access control lists (SACLs) 193–194, 194, 200, 206
System Center 2012 Endpoint Protection (SCEP) 27
System Center 2016 Virtual Machine Manager (SCVMM) 76–77
System Center Advisor (SCA) 230
System Center Configuration Manager (SCCM) 37
System Center Operations Manager (SCOM) 238
system update assessment 237–238
T
advanced audit policies 189–212
Advanced Threat Analytics 213–229
Operations Management Suite for 230–242
ticket-granting tickets (TGTs) 214
Timeline page, of ATA Console 227–229
TPM. See Trusted Platform Module
TPM-trusted attestation 63–64, 66
transcript files 161–163, 211–212
transitive dependencies 136
troubleshooting
Trusted Platform Module (TPM) 3–4, 6, 134, 136, 167
Turn On Module Logging setting 210–211
Turn On PowerShell Script Block Logging setting 211
Turn On PowerShell Transcription setting 211–212
U
UEFI. See Unified Extensible Firmware Interface
UEFI/BIOS setup 3
Unassigned Computers group 20
Unified Extensible Firmware Interface (UEFI) 2–3, 134, 136
Update Services console 20, 22–23
User Account Control (UAC) 41
user accounts
principle of least privilege and 31
user claims 293
user groups 290
user privileges 40
user rights assignment 169–176
user storage 268
V
VBS. See Virtualization-Based Security
Virtual Filtering Platform (VFP) 115
virtual hard drive (VHD) 15
virtualization
file/folder 41
nested 75
Virtualization-Based Security (VBS) 37, 41–42, 75–76, 81
virtualized TPM (vTPM) 9
virtual machines (VMs) 60, 167
BitLocker on 9
migrating to other guarded hosts 68–72
Virtual Secure Mode (VSM) 75, 81
virtual Trusted Platform Module (vTPM) 75, 80–83
VMs. See virtual machines
vmwp.exe 83
vTPM. See virtual Trusted Platform Module
W
wf.msc 90
integrating with WSUS and Windows Update 30–31
managing, in Windows Server 2016 28–29
running scans using PowerShell 29
vs. Microsoft Security Essentials 30
vs. System Center Endpoint Protection 27
Windows Filtering Platform (WFP) 194
Windows Firewall
application-level rule presets 105–107
allow or deny applications 105–107
authentication firewall exceptions 107–108
connection security rules 100–105
exporting 97
network location profiles 98–99
connection security rules 93–98
importing policy settings 99
listing and exporting rules 97–98
Nano Server rules configuration 256–258
outbound rules 93
Windows Firewall with Advanced Security MMC console 92–97
Windows Hardware Quality Labs (WHQL) 38
Windows Management Framework (WMF) 5.0 163
Windows Management Instrumentation (WMI)
Windows PowerShell
binary options and 118
ConfigCI PowerShell module 37
connecting to Nano Server using 258–260
defining connection security rules in 104
Desired State Configuration 46, 260–263
implementing auditing using 206–207
over-the-shoulder transcription 161–163
requesting privileged access using 150–151
running Windows Defender scans using 29
session configuration 153
Windows Firewall rules and 97–98
Windows Remote Management 258
Windows Server 2016
Docker and 264
enabling JEA solution on 152–154
managing Windows Defender in 28–29
Windows Server Containers 266
Windows Server Update Services (WSUS) 16–26, 135, 237
antimalware updates with 30
integrating Windows Defender with 30–31
topology 17
WMF. See Windows Management Framework
worker processes 83
group creation 290
installation 290
unsecured connections and 291
workload 60
workload administrators 60, 76
workload-specific security 245–310
WSUS. See Windows Server Update Services
X
XTS-AES-128 algorithm 8
XTS-AES-256 algorithm 8